1LPASS(1)                             lpass                            LPASS(1)
2
3
4

NAME

6       lpass - command line interface for LastPass
7

SYNOPSIS

9       lpass [ --version, -v | --help, -h ]
10       lpass <subcommand> [<args>]
11

DESCRIPTION

13       lpass is a simple command line interface to LastPass. It is comprised
14       of several subcommands:
15
16           lpass login [--trust] [--plaintext-key [--force, -f]] [--color=auto|never|always] USERNAME
17           lpass logout [--force, -f] [--color=auto|never|always]
18           lpass passwd
19           lpass show [--sync=auto|now|no] [--clip, -c] [--quiet, -q] [--expand-multi, -x] [--json, -j] [--all|--username|--password|--url|--notes|--field=FIELD|--id|--name|--attach=ATTACHID] [--basic-regexp, -G|--fixed-strings, -F] [--color=auto|never|always] {NAME|UNIQUEID}*
20           lpass ls [--sync=auto|now|no] [--long, -l] [-m] [-u] [--color=auto|never|always] [GROUP]
21           lpass mv [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID} GROUP
22           lpass add [--sync=auto|now|no] [--non-interactive] {--name|--username, -u|--password, -p|--url|--notes|--field=FIELD|--note-type=NOTETYPE} [--color=auto|never|always] {NAME|UNIQUEID}
23           lpass edit [--sync=auto|now|no] [--non-interactive] {--name|--username, -u|--password, -p|--url|--notes|--field=FIELD} [--color=auto|never|always] {NAME|UNIQUEID}
24           lpass generate [--sync=auto|now|no] [--clip, -c] [--username=USERNAME] [--url=URL] [--no-symbols] [--color=auto|never|always] {NAME|UNIQUEID} LENGTH
25           lpass duplicate [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID}
26           lpass rm [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID}
27           lpass status [--quiet, -q] [--color=auto|never|always]
28           lpass sync [--background, -b] [--color=auto|never|always]
29           lpass import [--sync=auto|now|no] [--keep-dupes] [FILENAME]
30           lpass export [--sync=auto|now|no] [--color=auto|never|always] [--fields=FIELDLIST]
31           lpass share userls SHARE
32           lpass share useradd [--read-only=[true|false]] [--hidden=[true|false]] [--admin=[true|false]] SHARE USERNAME
33           lpass share usermod [--read-only=[true|false]] [--hidden=[true|false]] [--admin=[true|false]] SHARE USERNAME
34           lpass share userdel SHARE USERNAME
35           lpass share create SHARE
36           lpass share rm SHARE
37           lpass share limit [--deny|--allow] [--add|--rm|--clear] SHARE USERNAME [sites]
38
39   Synchronization
40       The --sync options control when the current operation involves a
41       synchronization with the server. If now is set, and the command makes a
42       change, the change is synchronized before the command exits. If now is
43       set, and the command displays a value, the local cache is synchronized
44       before the value is shown. If now is set, and the command is otherwise
45       successful, but synchronization fails, the command will return an
46       error. If auto is set, and the command makes a change, the change is
47       synchronized to the server in the background. If auto is set, and the
48       command displays a value, the local cache is synchronized before the
49       value is shown only if the local cache is more than 5 seconds (or
50       LPASS_AUTO_SYNC_TIME seconds, if set) old. If no is set, the command
51       will not interact with the server, unless there is a current upload
52       queue being processed. Any local changes that are not synchronized with
53       the server will exist in a queue of timestamped requests which will be
54       synchronized on the next occurring synchronization.
55
56       The sync command forces a synchronization of the local cache with the
57       LastPass servers, and does not exit until the local cache is
58       synchronized or until an error occurs. Alternatively, if --background
59       is specified, the synchronization occurs in a daemonized process.
60
61   Agent
62       An agent process will be spawned in the background on a first
63       successful command, and all subsequent commands will use the agent for
64       decryption, instead of asking a user for a password. The agent will
65       quit after one hour, unless the LPASS_AGENT_TIMEOUT environment
66       variable is set to an alternative number of seconds in which to quit,
67       or 0 to never quit. If the environment variable LPASS_AGENT_DISABLE is
68       set to 1, the agent will not be used.
69
70   Password Entry
71       The pinentry program, part of gpg2(1), may be used for inputting
72       passwords if it is installed. A custom path to the pinentry program can
73       be provided by the LPASS_PINENTRY environment variable.
74
75       If pinentry program is unavailable, or if the LPASS_DISABLE_PINENTRY
76       environment variable is set to 1, passwords will be read from standard
77       input and a prompt will be displayed on standard error.
78
79       The program used for inputting passwords may also be configured by
80       setting the LPASS_ASKPASS environment variable. LPASS_ASKPASS is
81       expected to be a binary that produces a prompt using its first
82       command-line argument, and outputs the entered password to standard
83       out. ssh-askpass implements this protocol, as does the following shell
84       script:
85
86           #!/bin/bash
87           echo -n "$*: " >/dev/stderr
88           stty -echo
89           read answer
90           stty echo
91           echo $answer
92
93   Entry Specification
94       Commands that take a UNIQUENAME will fail if the provided name is used
95       multiple times, and return an error. Commands may alternatively take a
96       UNIQUEID, which will be the integer ID provided by LastPass for
97       identifying entries uniquely. Commands that take either a NAME or a
98       UNIQUEID will create a new entry if a NAME is specified and otherwise
99       overwrite an existing entry if UNIQUEID is specified.
100
101   Logging In
102       The login subcommand will initialize a local cache and configuration
103       folder, then attempt to authenticate itself with the LastPass servers,
104       using the provided command line credentials or by interactively
105       prompting (in the case of multifactor or an unprovided password). The
106       --trust option will cause subsequent logins to not require multifactor
107       authentication. If the --plaintext-key option is specified, the
108       decryption key will be saved to the hard disk in plaintext. Please note
109       that use of this option is discouraged except in limited situations, as
110       it greatly decreases the security of data.
111
112       The logout subcommand will remove the local cache and stored encryption
113       keys. It will prompt the user to confirm, unless --force is specified.
114
115       The passwd subcommand may be used to change your LastPass password: it
116       will prompt for the old and new password and then re-encrypt all
117       records with the newly derived key.
118
119   Viewing
120       The show subcommand will display a password or selected field.
121
122       By default, the site you specify with the show subcommand must exactly
123       match the name of the site. If the --fixed-strings or -F option is set,
124       then the show subcommand will find a site containing that exact
125       substring; if the --basic-regexp or -G option is set, then the show
126       subcommand will find a site matching a case-insensitive regular
127       expression.
128
129       By default if your show subcommand matches more than one site, then the
130       show subcommand will generate a warning and display the names of
131       matching sites but no other information. The --expand-multi or -x
132       option will instead show the requested information from all of the
133       matching sites.
134
135       The ls subcommand will list names in groups in a tree structure. If the
136       --long or -l option is set, then also list the last modification time.
137       The -u option may be passed to show the last use (last touch) time
138       instead, if available. Both times are in GMT.
139
140       Passing --json to show will generate json output instead of
141       human-readable text.
142
143       In addition to using the built-in formats, both show and ls subcommands
144       support printf-style format strings by using the --format option with
145       the following placeholders:
146
147       •   %ai: account id
148
149       •   %an: account name
150
151       •   %aN: account name including path
152
153       •   %au: account user
154
155       •   %ap: account password
156
157       •   %am: account modification time
158
159       •   %aU: account last touch time
160
161       •   %as: account share name
162
163       •   %ag: account group name
164
165       •   %al: account URL
166
167       •   %fn: field name (for show)
168
169       •   %fv: field value (for show)
170
171       A slash can be added between the % and the placeholder to indicate that
172       a slash should be appended, only if the printed value is expanded to a
173       non-empty string. For example, this command will properly show the full
174       path to an account: lpass ls --format="%/as%/ag%an".
175
176   Modifying
177       The edit subcommand will edit the selected field. If --non-interactive
178       is not set, the selected field will be edited using EDITOR; otherwise
179       the command will accept data until EOF or, unless the notes field is
180       being edited, the first new line. Please note that when editing
181       interactively, the contents of the field may be saved on disk in tmp
182       files or in editor swap files, depending on your system configuration.
183
184       The generate subcommand will create a randomly generated password for
185       the chosen key name, and optionally add a url and username while
186       inserting the generated password.
187
188       The rm command will remove the specified entry, and the duplicate
189       command will create a duplicate entry of the one specified, but with a
190       different ID.
191
192   Backup
193       The export subcommand will dump all account information including
194       passwords to stdout (unencrypted) in CSV format. The optional
195       --fields=FIELDLIST argument may contain a comma-separated subset of the
196       following fields:
197
198           id, url, username, password, extra, name, fav, id, grouping, group,
199           fullname, last_touch, last_modified_gmt, attachpresent
200
201       The import subcommand does the reverse: accounts from an unencrypted
202       CSV file are uploaded to the server.
203
204       It is recommended that such backups be encrypted at rest, for example
205       by piping to and from gpg.
206
207   Shared Folder Commands
208       The share command and its accompanying subcommands can be used to
209       manipulate shared folders, if available to the (enterprise or premium)
210       user. The userls, useradd, usermod, and userdel subcommands may be used
211       to query and modify membership of the shared folder, while the create
212       and rm share subcommands may be used to add new, or delete existing
213       shared folders. The normal generate and edit commands may be used to
214       edit accounts within the shared folder.
215
216       The share limit command may be used to manipulate account access lists
217       on the share for a specific user. Running with no arguments will
218       display the current access levels for a user. The --add, --rm, and
219       --clear options may be used to add to, remove from, or reset the list.
220       Passing --allow or --deny will make the list a whitelist or blacklist,
221       respectively.
222
223   Clipboard
224       Commands that take a -c or --clip option will copy the output to the
225       clipboard, using xclip(1) or xsel(1) on X11-based systems, pbcopy(1) on
226       OSX, or putclip on Cygwin. The command to be used can be overridden by
227       specifying the LPASS_CLIPBOARD_COMMAND environment variable.
228
229   Color Output
230       The --color option controls colored output to the terminal. By default,
231       commands will use --color=auto, in which color output is used unless
232       the output is not a tty (for example, when passed to a pipe or file).
233       If always is used, colors are produced regardless of the output
234       detection. If never is used, no color escape sequences are emitted.
235
236   Configuration
237       lpass stores configuration in the following locations, in descending
238       order of precedence:
239
240       •   The directory $LPASS_HOME, if set
241
242$XDG_CONFIG_HOME/lpass, $XDG_DATA_HOME/lpass, and
243           $XDG_RUNTIME_DIR/lpass (or equivalent defaults), if at least
244           $XDG_RUNTIME_DIR is set
245
246$HOME/.lpass
247
248       All configuration may be specified via environment variables.
249       Alternatively, a set of environment variable overrides may be specified
250       in $LPASS_HOME/env in the form of:
251
252           VARIABLE1=VALUE1
253           VARIABLE2=VALUE2
254           ...
255
256   Aliases
257       Default options can be specified for any command by creating command
258       aliases. Command aliases are stored in the configuration directory (see
259       previous section) with files named alias.command. For example, to force
260       the ls subcommand to never use color, make an alias.ls file with the
261       appropriate option:
262
263           echo 'ls --color=never' > ~/.config/lpass/alias.ls
264
265       Similarly, new subcommands can be created based on built-in subcommands
266       with options. Thus,
267
268           echo 'show --password -c' > ~/.config/lpass/alias.passclip
269
270       would create a passclip subcommand that copies your password onto the
271       clipboard.
272

ENVIRONMENT VARIABLES

274       The following environment variables may be used for configuration as
275       described in the section above:
276
277LPASS_HOME
278
279LPASS_AUTO_SYNC_TIME
280
281LPASS_AGENT_TIMEOUT
282
283LPASS_AGENT_DISABLE
284
285LPASS_PINENTRY
286
287LPASS_DISABLE_PINENTRY
288
289LPASS_ASKPASS
290
291LPASS_CLIPBOARD_COMMAND
292

EXAMPLES

294       In the following examples, "$" indicates a shell prompt while "#"
295       indicates a comment.
296
297           # login, generate and retrieve a new password
298           $ lpass login user@example.com
299           $ lpass generate work/email 20
300           G</Czo4*c;A+g;KIHkO-
301           $ lpass ls work
302           work
303               email [id: 140613939481239829]
304           $ lpass show -p email
305           G</Czo4*c;A+g;KIHkO-
306
307           # Copy password to clipboard
308           $ lpass show -cp email
309
310           # Add a new secure note
311           $ lpass add --note-type=ssn info/my-ssn
312           # (editor shows a template file; fill in and save)
313           Name: info/my-ssn
314           NoteType: Social Security
315           Name: My Name Goes Here
316           Number: 123-45-6789
317           Notes:    # Add notes below this line
318           Any notes I want to save go here.
319           ~
320           ~
321
322           $ lpass show my-ssn
323           info/my-ssn [id: 0]
324           Number: 123-45-6789
325           Name: My Name Goes Here
326           NoteType: Social Security
327           Notes:
328           Any notes I want to save go here.
329
330           # Display a secure note attachment
331           $ lpass show my-secure-note
332           info/my-secure-note [id: 1426405543365295118]
333           URL: http://sn
334           att-1426405543365295118-94690: travel-flight.pdf
335           $ lpass show my-secure-note --attach att-1426405543365295118-94690
336           "travel-flight.pdf" is a binary file, print it anyway (or save)?  [y/n/S] s
337           Wrote 122864 bytes to "travel-flight.pdf"
338
339           # Display secure note attachment to standard output
340           $ lpass show my-secure-note --attach att-1426405543365295118-94690 --quiet
341           [... binary data on stdout ...]
342
343           # Add an account non-interactively by creating the proper template
344           printf "Username: wizard97\nPassword: vJwhFfBBtn8hj4" | \
345               lpass add Facebook --non-interactive
346
347
348
349lpass                             09/21/2023                          LPASS(1)
Impressum